Georgia-Russia Conflict: Cyberwar as Counterinsurgency

There have been a number of excellent pieces on the cyberwarfare dimension in the ongoing conflict between Georgia, the separatist regions of South Ossetia and Abkhazia, and Russia. Here is a partial list:

After looking through photos of charred bodies among the detritus of war (via Danger Room), it might be easy to dismiss the significance of cyberwarfare. However, one should remember the question is not whether an unavailable service or defaced website outweighs the human cost of war but rather how cyberwar fits into its larger scope.

On a tactical level, there are a number of questions we can ask. Can cyberwarfare play a role in psychological warfare? Will it disrupt “network-centric warfare” and battlefield communication? How does it serve intelligence gathering? Certainly, cyberwarfare has had an impact in the propaganda battle (for example, see John Little’s post “South Ossetian Separatist Propaganda On the Web”). Moreover, cyberwar’s ability to capture the public imagination–as well as that of the military establishment–is itself a force multiplier whether cyberwarfare is media-generated hype or not. Even if its threat has been overestimated, perceptions within the US, Russia, China, and elsewhere have led to resources being devoted to this mode of warfare that might have been devoted to conventional weapons. This fact alone illustrates that the cultural impact of a particular weapons system can exceed its destructive capacity.

What if culture–the “human terrain”–is the primary battlefield of cyberwar, not cyberspace? This could explain the failures the U. S. military’s attempts “dominate” cyberspace, a notion more in line with Revolution in Military Affairs (RMA) doctrine than the more “culturally-orientated” Counterinsurgency (COIN) theory. This brings me to John Robb’s post in which he discusses the advantages of cyberwarfare:

Deniability. Offensive operations by government computers/personnel against a target nation is an act of war. Actions by civilian vigilantes is not and can be disowned. An inability to point to a an offending organization can make blame difficult to affix: note the speed at which the US tech press was willing to deny a Russian cyberwar against Estonia.

A huge talent pool. Rather than spend money on training a limited number of uniformed personnel (likely poorly), it’s possible to draw on a talent pool of hundreds of thousands of participants (from hackers to IT professionals to cybercriminals). Given the rapid decay/turnover in skills, high rates of innovation, high compensation, and the value of real-world expertise, the best people for cyberwarfare don’t work (nor will they ever) in the government. The best you can do is rent/entice them for a while.

Access to the best Resources/Weaponry. The best tools for cyberwarfare are developed in the cybercriminal community. They have vast and rapidly growing capabilities: a plethora of botnets, worms, compromised computers within target networks, identity information, etc. Further, these capabilities are cheap to rent.

With these three advantages in mind, a DDoS attack may have more in common with insurgency/counterinsurgency tactics than “shock and awe.” First, cyberwarfare has more in common with covert action–or perhaps “overt covert” action–rather than relying on the spectacle of rapid dominance. Combatants are difficult to combat, and attacks are hard to recognize. A website slowed with regular usage or down for maintenance could trigger fears of cyber attacks, analogous to the power outages in the United States that stimulated worries about terrorism. Secondly, this “huge talent pool” is not an organized, hierarchical army but rather an insurgency. Actors are as much unconnected as they are interconnected, defying the grasp of “full-spectrum dominance.” Lastly, the best resources and weapons are not the product of the most advanced military-industrial establishment but a criminal underground–and they are cheap, easy to use, and available to anyone.

Robb goes onto make great points on why the United States fails at cyberwarfare and what should be done to establish a cyberwarfare capability:

Engage, co-opt, and protect cybercriminals. Essentially, use this influence to deter domestic commercial attacks and encourage an external focus. This keeps the skills sharp and the powder dry.

Seed the movement. Once the decision to launch a cyberattack is made, start it off right. Purchase botnets covertly from criminal networks to launch attacks, feed ‘patriotic’ blogs to incite attacks and list targets, etc.

Get out of the way. Don’t interfere. Don’t prosecute participants. Take notes.

For these reasons, cyberwarfare should be something left to the intelligence community, equipped with an Internet connection and a cultural awareness of hackers and the intended target, rather than the Air Force with its outmoded RMA high-technology fetish.

“If by chance you were to ask me which ornaments I would desire above all others in my house, I would reply, without much pause for reflection, arms and books.”
—Fra Sabba da Castiglione, Knight of St. John